---
# Source: cilium/templates/hubble-relay-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hubble-relay
  labels:
    k8s-app: hubble-relay
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: hubble-relay
  strategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      annotations:
      labels:
        k8s-app: hubble-relay
    spec:
      affinity:
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
                - key: "k8s-app"
                  operator: In
                  values:
                    - cilium
            topologyKey: "kubernetes.io/hostname"
      containers:
        - name: hubble-relay
          image: "{{ cilium_hubble_relay_image_repo }}:{{ cilium_hubble_relay_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          command:
            - hubble-relay
          args:
            - serve
          ports:
            - name: grpc
              containerPort: 4245
{% if cilium_enable_prometheus %}
            - name: prometheus
              containerPort: 9966
              protocol: TCP
{% endif %}
          readinessProbe:
            tcpSocket:
              port: grpc
          livenessProbe:
            tcpSocket:
              port: grpc
          volumeMounts:
          - mountPath: /var/run/cilium
            name: hubble-sock-dir
            readOnly: true
          - mountPath: /etc/hubble-relay
            name: config
            readOnly: true
          {% if cilium_hubble_tls_generate -%}
          - mountPath: /var/lib/hubble-relay/tls
            name: tls
            readOnly: true
          {%- endif %}

      restartPolicy: Always
      serviceAccount: hubble-relay
      serviceAccountName: hubble-relay
      terminationGracePeriodSeconds: 0
      volumes:
      - configMap:
          name: hubble-relay-config
          items:
          - key: config.yaml
            path: config.yaml
        name: config
      - hostPath:
          path: /var/run/cilium
          type: Directory
        name: hubble-sock-dir
      {% if cilium_hubble_tls_generate -%}
      - projected:
          sources:
          - secret:
              name: hubble-relay-client-certs
              items:
                - key: ca.crt
                  path: hubble-server-ca.crt
                - key: tls.crt
                  path: client.crt
                - key: tls.key
                  path: client.key
          - secret:
              name: hubble-server-certs
              items:
                - key: tls.crt
                  path: server.crt
                - key: tls.key
                  path: server.key
        name: tls
      {%- endif %}

---
# Source: cilium/templates/hubble-ui/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: kube-system
  labels:
    k8s-app: hubble-ui
  name: hubble-ui
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: hubble-ui
  template:
    metadata:
      annotations:
      labels:
        k8s-app: hubble-ui
    spec:
      securityContext:
        runAsUser: 1001
      serviceAccount: hubble-ui
      serviceAccountName: hubble-ui
      containers:
        - name: frontend
          image: "{{ cilium_hubble_ui_image_repo }}:{{ cilium_hubble_ui_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          ports:
            - containerPort: 8081
              name: http
          volumeMounts:
            - name: hubble-ui-nginx-conf
              mountPath: /etc/nginx/conf.d/default.conf
              subPath: nginx.conf
            - name: tmp-dir
              mountPath: /tmp
          resources:
            {}
        - name: backend
          image: "{{ cilium_hubble_ui_backend_image_repo }}:{{ cilium_hubble_ui_backend_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          env:
            - name: EVENTS_SERVER_PORT
              value: "8090"
            {% if cilium_hubble_tls_generate -%}
            - name: TLS_TO_RELAY_ENABLED
              value: "true"
            - name: FLOWS_API_ADDR
              value: "hubble-relay:443"
            - name: TLS_RELAY_SERVER_NAME
              value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io
            - name: TLS_RELAY_CA_CERT_FILES
              value: /var/lib/hubble-ui/certs/hubble-server-ca.crt
            - name: TLS_RELAY_CLIENT_CERT_FILE
              value: /var/lib/hubble-ui/certs/client.crt
            - name: TLS_RELAY_CLIENT_KEY_FILE
              value: /var/lib/hubble-ui/certs/client.key
            {% else -%}
            - name: FLOWS_API_ADDR
              value: "hubble-relay:80"
            {% endif %}

          volumeMounts:
            - name: tls
              mountPath: /var/lib/hubble-ui/certs
              readOnly: true
          ports:
            - containerPort: 8090
              name: grpc
          resources:
            {}
      volumes:
        - configMap:
            defaultMode: 420
            name: hubble-ui-nginx
          name: hubble-ui-nginx-conf
        - projected:
            sources:
            - secret:
                name: hubble-relay-client-certs
                items:
                  - key: ca.crt
                    path: hubble-server-ca.crt
                  - key: tls.crt
                    path: client.crt
                  - key: tls.key
                    path: client.key
          name: tls
        - emptyDir: {}
          name: tmp-dir
